Lowering the Bar for Leakers

Leaking and leakers were in the news in the waning days of the Obama administration. Chelsa Manning, source of the Afghan War Diary, had her 35 year sentence commuted to seven years by President Obama. Edward Snowden, who leaked a wide variety of materials, was discussed as a candidate for a pardon, but none was forthcoming.

Why “America’s intelligence professionals” pouting over disclosures of their illegal and ineffectual activities is relevant to pardoning Snowden isn’t clear. In any event, Snowden continues to reside in Russia.

What is clear is that leakers bear the risk of obtaining and leaking material of great public interest. Some of that risk is an artifact of current practices for leaking.

Present Day Leaking Practices

Begin by bringing your personal computer to a Wi-Fi network that isn’t associated with you or your employer, like one at a coffee shop. Download the Tor Browser. (Tor allows you to go online while concealing your IP address from the websites you visit.)

You can access our SecureDrop server by going to http://y6xjgkgwj47us5ca.onion/ in the Tor Browser. This is a special kind of URL that only works in Tor. Do NOT type this URL into a non-Tor Browser. It won’t work — and it will leave a record.

If that is too complicated, or you don’t wish to engage in back-and-forth communication with us, a perfectly good alternative is to simply send mail to P.O. Box 65679, Washington, D.C., 20035, or to The Intercept, 114 Fifth Avenue, 18th Floor, New York, New York, 10011. Drop it in a mailbox (do not send it from home, work or a post office) with no return address.

Whether faulty reasoning spreads from the Ninth Circuit or not, it remains clear that avoiding copying, smuggling, etc., as with credential leaking, poses a reduced risk to leakers.

On the other hand, under the provisions of 18 USC 1030 (Computer Fraud & Abuse Act (CFAA)), the risk to any reporter or news media organization that makes use of leaked credentials, the risk is elevated.

Elevated to federal felony level risk.

That may seem like a poor trade for the news media, but consider that the New York Times has stables of internal counsel, not to mention external counsel and financial resources that aren’t available to the average leaker.

Moreover, the New York Times has access to highly competent computer experts who can “leak” data to its reporters via secure means, enabling reporters to truthfully testify as to the origin of leaked materials used in their stories.

Unlike current leaking practices, where the leaker takes all the risks, considerable risks, credential leaking allocates the leak and risk to those best able to accomplish it with a margin of safety.

Along with that reallocation of risk, comes the potential to greatly democratize the practice of leaking.

Not a complete listing of the categories. I selected those where scandals and/or scandalous materials are most often found.

By my count, 35,392,400 potential leakers.

Compare The Intercept‘s long treatment with on the masthead of Times-with-a-Spine (fictitous newspaper):

Leakers (see A-2)

On page A-2:

If you are going to leak:

Write login credentials (not your own), login URL, on paper

Mail to (news address) – no return address

We destroy all leaked credentials upon receipt

Push an ad with the same content into daily shoppers, free/community newspapers, websites, etc. Perhaps even Amazon ads keyed to people with .gov and .mil email addresses.

How news organizations will use leaked credentials I cannot say. In order to protect leakers, however, any credential leaks should be destroyed upon determination they are credential leaks. (Complete burning with paper of similar origins into a fine ash, sifting and secure burial for starters.)